Transport Layer Security (TLS) 1.0 and 1.1 to be deprecated on all Symantec VIP URLs
search cancel

Transport Layer Security (TLS) 1.0 and 1.1 to be deprecated on all Symantec VIP URLs

book

Article ID: 245528

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

VIP  service will disable TLS 1.0 and 1.1 protocols on all VIP endpoints and APIs. After this change, only TLS 1.2 and TLS 1.3 protocols will be supported on VIP API URLs, including Enterprise Gateway and VIP Web Service API endpoints. TLS 1.2 will be supported on VIP Web portals.

Resolution

Transport Layer Security (TLS) v1.0, 1.1, and 1.2 are security protocols for establishing encryption channels over computer networks. The VIP API URL endpoints currently support all 3 of these protocols. Due to evolving regulatory requirements, and as part of Broadcom's continuous effort to maximize the security of our platforms, TLS v1.0 and v1.1 will be disabled on all VIP URLs. TLS v1.2 will remain the only supported TLS version on the VIP Web Portals, and TLS v1.2 and 1.3 will be supported on the VIP API endpoints.  

TLS 1.2 and 1.3 will be the supported protocols on the following VIP API endpoints:

  • services-auth.vip.symantec.com
  • services.vip.symantec.com
  • userservices-auth.vip.symantec.com
  • userservices.vip.symantec.com
  • goidservices-auth.vip.symantec.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com
  • api-auth.vip.symantec.com 
  • reporting-auth.vip.symantec.com
  • login.vip.symantec.com
  • messaging.vip.symantec.com
  • services-auth.vip.symantec.com/prov/soap

TLS 1.2 will be the supported protocol on the following VIP Web URLs:

  • manager.vip.symantec.com (VIP Manager)
  • ssp.vip.symantec.com (VIP Self-Service Portal)
  • my.vip.symantec.com (My VIP)
  • vip.symantec.com (VIP token information)

What do I need to do?

  • VIP Enterprise Gateway - Version 9.8.4 and later supports TLS 1.2. Version 9.8.3 or older does not support TLS 1.2 and must be upgraded. Symantec recommends upgrading to version 9.9.2 or later.
  • VIP Service APIs - If your application consumes a VIP URL, confirm that each component involved in connecting to the VIP API endpoints is upgraded and configured to use TLSv1.2 and strong cipher suites. TLS 1.2 must be supported by the operating system, operating system’s SSL libraries, application server security components, network proxy, firewall, SOAP\REST agents, and platform (Java and Java libraries, .NET framework, OpenSSL, PHP, Python, etc). Always consult your software package documentation and IT support staff or vendor before making any changes. VIP API WSDL files do not need to be upgraded for this change.  
  • VIP Integrations - Upgrade any VIP integration or plugin to the latest available version in VIP Manager. This includes the VIP integration for AD FS, IIS, Oracle, and Epic.

What Cipher Suites will be supported?

In preferred order:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

How can I be notified of the VIP changes?
Receive notifications by subscribing to the Symantec VIP status page. Click Subscribe at the top of the page, select the delivery method, then select all sub-components under VIP. De-select other components if you don't want notifications from those products. (See: Signing up for VIP Service alerts

Have additional questions?
If you have further questions or need technical support:

Contact your Broadcom Account Team.
Open a Symantec Technical Support Case: https://support.broadcom.com/security
Post questions to the VIP community discussion room.

Additional Information

TESTING TLS 1.2 CONNECTIVITY

To avoid a service interruption, perform connection tests from any VIP server within your environment prior to the change and take immediate action if TLS 1.0 or TLS 1.1 is used when connecting to VIP Services.

METHOD 1

Use Wireshark (or another packet capturing tool) to determine what protocol is used when your application connects to VIP Services:

  • Determine the VIP URL in the application and the IP address it resolves to. In this example, the VIP plugin for AD FS is calling userservices-auth.vip.symantec.com: 

  • Launch Wireshark. While capturing traffic, perform a successful VIP Authentication, then filter the results by the IP address.

    Sample of supported TLS 1.2 before and after October 2022 TLS update:


  • Sample of unsupported TLS 1.1 after October 2022 TLS update. Action required:

METHOD 2

  • Using your existing VIP Service client, send test traffic to one of the following VIP end-points:

-- For https://services-auth.vip.symantec.com/, send traffic to https://ssl-test.services-auth.vip.symantec.com
-- For https://userservices-auth.vip.symantec.com/, send traffic to https://ssl-test.userservices-auth.vip.symantec.com/

  • Open a VIP support case and provide the transaction request ID (if available) and the public IP address used to send the request to the VIP Cloud.
  • VIP support will provide the following within 48 hours:
    • The endpoint the request was sent to 
    • The public IP address the request was received from at the VIP front end.
    • The protocol and cipher suite client used by your client. 
  • Revert all traffic back to the original URL. 

Additional testing of push/OTP:

You can check your push or OTP requests status from VIP Manager > Reports > VIP End User Transaction Report if its failing or getting success.

Attachments

Powered by Wolken Software